Authentication and authorization
认证与授权
This guide introduces the different methods of authenticating and authorizing apps with Shopify’s platform. Make sure that you understand the differences between the types of authentication and authorization methods before you begin your development process.
本指南介绍了使用 Shopify 平台对应用程序进行身份验证和授权的不同方法。在开始开发过程之前,请确保您了解身份验证和授权方法类型之间的差异。
You can use Shopify CLI to generate a starter app with boilerplate code that handles authentication and authorization.
The starter app includes code for an embedded app that follows app best practices:
您可以使用 Shopify CLI 生成带有处理身份验证和授权的样板代码的入门应用程序。入门应用程序包含遵循应用程序最佳实践的嵌入式应用程序的代码:
- Authorizing your app using session tokens and token exchange.
使用会话令牌和令牌交换授权您的应用程序。 - Installing on stores using Shopify managed installation.
使用 Shopify 托管安装在商店中进行安装。
You should use this starter app unless you need to create an app that is not embedded.
除非您需要创建非嵌入的应用程序,否则您应该使用此入门应用程序。
Authentication vs. authorization
身份验证与授权
Anchor link to section titled "Authentication vs. authorization"Authentication is the process of verifying the identity of the user or the app. To keep transactions on Shopify’s platform safe and secure, all apps connecting with Shopify APIs must authenticate when making API requests.
身份验证是验证用户或应用程序身份的过程。为了确保 Shopify 平台上的交易安全可靠,所有与 Shopify API 连接的应用程序在发出 API 请求时都必须进行身份验证。
Authorization is the process of giving permissions to apps. When an app user installs a Shopify app they authorize the app, enabling the app to acquire an access token. For example, an app might be authorized to access orders and product data in a store.
授权是向应用程序授予权限的过程。当应用程序用户安装 Shopify 应用程序时,他们会授权该应用程序,使该应用程序能够获取访问令牌。例如,应用程序可能被授权访问商店中的订单和产品数据。
Types of authentication and authorization methods
身份验证和授权方法的类型
Anchor link to section titled "Types of authentication and authorization methods"The authentication and authorization methods that your app needs to use depends on the tool that you used to create your app, and the components that your app uses.
您的应用程序需要使用的身份验证和授权方法取决于您用于创建应用程序的工具以及您的应用程序使用的组件。
Authentication 验证
Anchor link to section titled "Authentication"- Embedded apps need to authenticate their incoming requests with session tokens.
嵌入式应用程序需要使用会话令牌来验证其传入请求。 - Apps that are not embedded need to implement their own authentication method for incoming requests.
未嵌入的应用程序需要为传入请求实现自己的身份验证方法。
Authorization 授权
Anchor link to section titled "Authorization"Authorization encompasses the installation of an app and the means to acquire an access token.
授权包括应用程序的安装和获取访问令牌的方法。
To avoid unnecessary redirects and page flickers during the app installation process, you should configure your app's required access scopes using Shopify CLI. This allows Shopify to manage the installation process for you.
为了避免在应用安装过程中出现不必要的重定向和页面闪烁,您应该使用 Shopify CLI 配置应用所需的访问范围。这允许 Shopify 为您管理安装过程。
If you aren't able to use Shopify CLI to configure your app, then your app will install as part of the authorization code grant flow. This provides a degraded user experience.
如果您无法使用 Shopify CLI 配置您的应用程序,那么您的应用程序将作为授权代码授予流程的一部分进行安装。这会降低用户体验。
The following table outlines the supported installation and token acquisition flows for various app configurations.
下表概述了各种应用程序配置支持的安装和令牌获取流程。
Whenever possible, you should create embedded apps that use Shopify managed installation and token exchange.
只要有可能,您就应该创建使用 Shopify 托管安装和令牌交换的嵌入式应用程序。
| Type of app 应用程序类型 | Supported installation flows 支持的安装流程 |
Supported token acquisition flows 支持的令牌获取流程 |
|---|---|---|
| Embedded app 嵌入式应用程序 | Shopify 托管安装(推荐) 授权码授予期间安装 |
代币兑换(推荐) 授权码授予 |
| Non-embedded app 非嵌入式应用程序 | Shopify 托管安装(推荐) 授权码授予期间安装 |
授权码授予 |
| Admin-created custom app 管理员创建的自定义应用程序 |
在 Shopify 后台生成时安装 |
在 Shopify 后台生成 |
Getting started 入门
Anchor link to section titled "Getting started"- Authenticate your embedded app using session tokens.
使用会话令牌验证您的嵌入式应用程序。 - Authorize your embedded app using a session token with token exchange.
使用会话令牌和令牌交换来授权您的嵌入式应用程序。 - Authorize your app that is not embedded with authorization code grant.
对未嵌入授权码的应用程序进行授权。 - Authenticate your app created in the Shopify admin with access tokens.
使用访问令牌对在 Shopify 后台创建的应用程序进行身份验证。